Failure to Require SSL for Authentication Cookies

Web-based applications use the Secure Sockets Layer (SSL) protocol to encrypt data passed between the Web server and the client. Using SSL for application security means that attackers using network sniffers will not be able to interpret the exchanged data. Rather than seeing plaintext requests and responses, they will see only an indecipherable jumble of meaningless characters.

You can require the forms authentication cookie from your Web-based applications to use SSL by setting the requireSSL attribute of the forms element to true.

The previous section discussed the importance of transmitting the authentication token in a cookie, rather than embedding it in the request URL. However, disabling cookieless authentication is just the first step towards securing the authentication token. Unless requests made to the Web server are encrypted, a network sniffer will still be able to read the authentication token from the request cookie. An attacker would still be able to hijack the user's session.

At this point, you might be wondering why it is necessary with application security to disable cookieless authentication, since it is very inconvenient for users who won't accept cookies, and seeing as how the request still has to be sent over SSL. The answer is that the request URL is often persisted regardless of whether or not it was sent via SSL. Most major browsers save the complete URL in the browser history cache. If the history cache were to be compromised, the user's login credentials would be as well. Therefore, to truly secure the authentication token, you must require the authentication token to be stored in a cookie, and use SSL to ensure that the cookie be transmitted securely.

By setting the requireSSL attribute of the forms element to true, ASP.NET Web-based applications will use a secure connection when transmitting the authentication cookie to the Web server. Note that IIS requires additional configuration steps to support SSL. You can find instructions to configure SSL for IIS on MSDN.

There's no need to reinvent the wheel every time you run into a problem with ASP.NET's Model-View-Controller (MVC) framework. This concise cookbook provides recipes to help you solve tasks many web developers encounter every day. Each recipe includes...

by singmengyeong (0 replies)

by tim8w (1 replies)

by shannon.glisson98 (23 replies)

Published 5 years ago, running time 0h54m

Carl and Richard talk to Jeff Fritz about how ASP.NET has evolved over the years. Jeff talks about the continued dominance of web forms in relation to MVC and how the different libraries can be used together. In fact, there's ONE ASP.NET, and everything: web forms, MVC, Web API, SignalR, all work.